Rooted. This box was weird and a bit annoying… Privesc felt like cheating but what I used seemed to be placed there on purpose by the box creator. I exploited c*** manually instead of repairing, reading the code reveals how it can be done.
I have tried rewriting this exploit, and it simply isn’t working. I’ve also tried to exploit manually, but I’m continually getting 403s once I put a space in the input field. I’ve encoded the space and same thing. This is frustrating…
Rooted. Box as a whole seems too contrived. Curious if there’s more than one way to root. Path I took was a bit underwhelming.
Hints for user: once you get past using the right verb, you’ll hit the “wall.” Keep trying different things and you’ll get past it. Can be done from the UI if you understand the exploit. Then enumerate some more to get user, or you can go straight to root and then get user after.
Hints for root: standard Linux enumeration plus another exploit.
If this is too much to ask just say so but… should I be “dictionarying” m********* or c*******? I’m trying to use h**** for it but I’m new to it so I can’t tell if what I’m doing wrong is syntax or what I’m going after.
Thanks in advance
EDIT: I think I was using the wrong approach. Tried piping in my passwords of choice to something else that I had come across but though I’d need to know the creds already
Can anyone who did not find the password by “guessing” but by brute forcing- contact me and tell me his/her way to approach ? I build a small script using curl to read cookies+token and use them for request but it fails all the time.
Root hint:
Do your basic enum. and watch the output very carefully. The exploit is straight forward. and once you found it, don’t spoil other people. clean up your tracks quickly. good luck
Init HINT for dumb people like me who can’t find с*******:
First you need to find m*********
to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.
After that, pay all attention to the found m*********, but, as already said, you do not need brute force!
Then the question arises: what can be done other than brute-forcing?
Here you need a hint about the teacher and verbs.
however, this was not enough for me: note that sometimes a slash can be crucial
after that you should look at what the server told you.
I hope I haven’t suggested too much?
Can anyone who did not find the password by “guessing” but by brute forcing- contact me and tell me his/her way to approach ? I build a small script using curl to read cookies+token and use them for request but it fails all the time.
If you know the exploit you need to use, you can easily convert that into a brute force script, that’s how I did it (even after guessing it, I made the script anyway)
I have problems to make the payload work fine. It looks that everything is correct but I can’t get the reverse shell working… any hint for this? please PM and thanks in advance.